Lizardbyte Sunshine vulnerabilities
11 known vulnerabilities affecting lizardbyte/sunshine.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH6MEDIUM3LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-32253P2CRITICALCVSS 9.8fixed in 2026.516.1438332026-05-22
CVE-2026-32253 [CRITICAL] CWE-287 CVE-2026-32253: Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ER
cvelistv5nvd
CVE-2024-51738P3HIGHCVSS 8.1fixed in 2025.118.1518402025-01-20
CVE-2024-51738 [HIGH] CWE-305 CVE-2024-51738: Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacke
nvd
CVE-2025-53095P3HIGHCVSS 8.8fixed in 2025.628.45102025-07-01
CVE-2025-53095 [HIGH] CWE-352 CVE-2025-53095: Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine applicat
nvd
CVE-2024-31220P3HIGHCVSS 7.3≥ 0.16.0, < 0.18.0v>= 0.16.0, < 0.18.02024-04-05
CVE-2024-31220 [HIGH] CWE-22 CVE-2024-31220: Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to ve
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewa
nvd
CVE-2025-10199P3HIGHCVSS 7.8v2025.122.1416142025-09-09
CVE-2025-10199 [HIGH] CWE-428 CVE-2025-10199: A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
nvd
CVE-2025-10198P3HIGHCVSS 7.8v2025.122.1416142025-09-09
CVE-2025-10198 [HIGH] CWE-427 CVE-2025-10198: Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability,
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
nvd
CVE-2025-54081P4HIGHCVSS 7.0≥ 0.10.0, < 2025.923.33222fixed in 2025.923.332222025-09-23
CVE-2025-54081 [HIGH] CWE-428 CVE-2025-54081: Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windo
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed
nvd
CVE-2024-31221P4MEDIUMCVSS 5.9≥ 0.10.0, < 0.23.0v>= 0.10.0, < 0.23.02024-04-08
CVE-2024-31221 [MEDIUM] CWE-384 CVE-2024-31221: Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to ve
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unp
nvd
CVE-2024-45407P4MEDIUMCVSS 5.3v2024-05-27v>= 5fcd07ecb1428bfe245ad6fa349aead476c7e772, < fd7e68457a134102d1b30af5796c79f2aa6232242024-09-10
CVE-2024-45407 [MEDIUM] CWE-300 CVE-2024-45407: Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack duri
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is
nvd
CVE-2025-53096P4MEDIUMCVSS 6.1fixed in 2025.628.45102025-07-01
CVE-2025-53096 [MEDIUM] CWE-1021 CVE-2025-53096: Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multipl
nvd
CVE-2024-31226P4LOWCVSS 2.9≥ 0.17.0, < 0.23.0v>= 0.17.0, < 0.23.02024-05-16
CVE-2024-31226 [LOW] CWE-428 CVE-2024-31226: Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 thr
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has m
nvd